How-To Geek

How To Hide Passwords in an Encrypted Drive Even the FBI Can’t Get Into


Encryption tools exist to protect your privacy… and also to make you feel like you’re an awesome spy. Today we’ll use a portable USB drive to hold all of your passwords encrypted in a virtual disk hidden inside a file.

Certain kinds of cryptography were once called “weapons of mass destruction” because certain people thought it was so dangerous. Although clever people are making it good security more and more difficult, encryption tools like the one we’ll be using today are readily available, free, and provide a high level of security that is nearly impossible to break into if done properly. Put on your spy mask and keep reading to find out how to build the perfect encrypted password safe.

And for the skeptics that are curious about the “FBI” claim in our headline, you can read up on Operation Satyagraha, where money launderer Daniel Dantas has successfully encrypted his data and kept the FBI at bay for as long as a year with the very tools we’re going to use today.

Step 1: Get A Reliable USB Drive

If you’re like many geeks, you’ve had your fair share of USB keydrives die on you. The cheap ten dollar drives may not be hardy enough to put a vault of your most important passwords on, so you may have to get a little spendy and pick up one that will last for a while. How-to Geek doesn’t endorse any particular brand of USB drives, but the author has had a lot of success with the Lacie Iamakey series. Lifehacker has featured them on several occasions, and they take a beating and keep your data safe. Use any brand that you think is good enough to hold keys to your online life—feel free to take the author’s recommendation with all the grains of salt you see fit.

Step 2: Create An Encrypted Drive or File with Truecrypt


A lot of software exists for encrypting files, but Truecrypt is a very solid choice. The two features we’re interested in are the ability to encrypt hidden files and the ability to run Truecrypt as portable software. You’ll need both if you ever intend to use your encrypted password key on any machine that isn’t your own.


We’ve done several great guides on how to use TrueCrypt, so we’re not going to delve too deeply into the details today. Here we’ll go over our a basic installation of a portable version of TrueCrypt on your USB disk. To begin, run the TrueCrypt installer and select “Extract” to install it on the USB disk.

And if you prefer, check out our previous guides to the program if you want to try and make your spy drive some other way.

TrueCrypt can’t be used “transparently” as a portable EXE file. This basically means that you’ll need administrator control over a machine to use it as a portable application. If this is okay to you, simply hit yes to go on to the next step. If not, you won’t really be able to open your encrypted drive on any machine but one with TrueCrypt installed, effectively tying it to your home PC. For today’s example, we’ll just be extracting it to the USB disk.


Extract the TrueCrypt files to any folder on the disk.


Find the TrueCrypt.exe file on your USB disk and run it. You’ll have to give that pesky administrator permission to start the program.


With TrueCrypt open, find “Create New Volume.”


We’ll be creating a volume hidden inside a file. Again, since we’ve already covered it, we’re going to be brief. For a more detailed article on creating a hidden volume with TrueCrypt (including how to create a hidden volume inside a hidden volume) check out our older article on hidden TrueCrypt volumes.


TrueCrypt asks us to pick a file to use as our hidden volume. Pick an empty, inconspicuous junk file. Don’t use anything important, because this file will be overwritten with your encrypted volume once you’re done.


With your volume file selected, click next to go onward.


TrueCrypt supports lots of different Encryptions Algorithms, but the default one will work well enough. Research them all if you care to, or just use the default AES encryption.


You’ll pick a size for your virtual disk. Unless your disk is full of big files, it might get noticed if it is too large. But don’t make it too small, because you might not be able to fit the portable application in the virtual disk.


Once that’s done, input a password or passphrase and optional keyfiles. You should probably be able to remember any password, but it should be secure enough that brute force methods of password cracking won’t break it easily.


TrueCrypt (and KeePass as well) can use practically any kind of file as part of the password. This can add extra layers of security beyond any password to your hidden volume. Simply be careful in your choice of file, since any change to the file’s contents may mean that it will no longer open your volume, and your data may be lost forever. When you’re done picking (or not using) keyfiles, hit OK, then hit Next on the “Outer Volume” screen.


Click format when you’re done looking at the random strings generated by your mouse movements.


Last warning—you’re overwriting the file you picked. Make sure you don’t use one you intend to keep!


You can now mount your “outer volume” on this screen and go on to create a “hidden volume” if you wish.


It’s pretty easy and can provide yet another layer to your labyrinth of encryption. But for our demonstration today, we’ll be skipping this step and mounting our drive to install KeePass.

Step 3: Mount the Hidden Drive and Install KeePass Portable


With TrueCrypt open, you can now open your hidden volume using your password and keyfile or keyfiles. Once you’ve mounted your virtual disk, you can open it by double clicking it in TrueCrypt.


If you’re following along, you’ll find that your new virtual disk is empty.


If you haven’t already, you can download KeePass portable to use on your new USB disk. You can download the standard version and only keep your passwords on the encrypted drive, but the portable version is also free and very easy to install on a USB disk.


Double click the installer to put the portable app on your (currently mounted) virtual disk.


In our example earlier, we mounted our encrypted disk as “G:” so we simply install KeePassPortable in that directory.


KeePass is a simple an intuitive program to use. It will generate and store long passwords as secure as we know how to make them. Even though the best practice may be turning towards passphrases over passwords, KeePass will store any either kind and recall it for you whenever you need to break into your accounts.

Assuming you’ve got the portable app installed, run it and select the option to create a new Password Database file. Like TrueCrypt, you can elect to use a password and keyfile, recommended to add security beyond a simple password or phrase. Just remember, the same rule applies—don’t use a file that is likely to change, because you may lock yourself out of your password safe forever if it does.


We won’t go into the wonders of KeePass today, since we’ve already covered them ages and ages ago and the program hasn’t functionally changed all that much. But, once you’ve created your password database, save it to the encrypted drive (G:/ in our example) to keep it away from prying eyes.

For a more in-depth write up on KeePass, check out our previous write-up, with the basics and great tips on how to use it.

Step 4: Your Passwords are Now Safe From The KGB


Now that you’ve got your passwords locked away in an encrypted vault, you can rest assured they’re safe from all but the most insanely dedicated of users. So what else do you want to use your new cryptographic powers for? Sensitive, personal files can be stored here, and other portable apps can be installed in your hidden virtual disk. Why not tell us about your experience with TrueCrypt in the comments, or simply email your thoughts to

Image Credits: Anonymity and the Internet by Stian Eikeland, Creative Commons. Spy by sewing punzie, Creative Commons.

Eric Z Goodnight is an Illustrator and Stetson-wearing wild man. During the day, he manages IT and product development for screenprinted apparel manufacturing; by night he creates geek art posters, writes JavaScript, and records weekly podcasts about comics.

  • Published 05/17/12

Comments (42)

  1. phil fotot

    I’ve tinkered with truecrypt but have yet to use it for anything. I have an 8GB IronKey that’s been more than sufficient to hold all my sensitive data.

    I think I’ll give your guide a run through and setup some “annoyance” files in case my system is confiscated ;-)

  2. Anonymous

    Keepass uses very strong encryption (AES) for the entire database you create. Thus, it seems pointlessly redundant to store your keepass database in a Truecrypt volume. As long as you use a very secure passphrase to encrypt your keepass database, that should be all you need.

    Here are the specifics of Keepass encryption:

  3. Eric Z Goodnight

    This is a great point, but I KeePs won’t hide your file, and redundant encryption with two separate passwords and keyfiles means two sets to break through.

  4. YoungBud

    why use a .txt as your TC Volume, its only suspicious when your .txt file is 5GB or larger lol, i Save it under a movie format “mi ghost protocol brrip.avi”.. over all Great article thax..

  5. Brandon

    YoungBud, AVI files have a common file header that make fake ones easy to spot, but I agree TXT is conspicuous too. If you want to be safer, use file extensions that do not have common headers.

  6. Citizen Dos

    Unless, the copy of TruCrypt you downloaded was compromised, which isn’t just a possibility, but a probability.

    Today’s young leaders, nepotistic officials, and wealthy are quickly becoming fascist-minded due to ignorance of history, empathy, lack of patriotism, and a sense of undue power. Soon merely voicing opposition to political parties will be enough for this next generation to persecute and slander you.

    So, it is very important to learn how to communicate securely with large groups of freedom minded, intelligent people in order to maintain a balance of power.

    To do this, you MUST understand cryptology, sure, but you also need to recognize where the weakest links are. Make sure that you aren’t relying on government sponsored propaganda or faux “protection”

  7. Brandon

    Citizen Dos,
    You can check the MD5 and SHA checksums of the downloaded file[s] to ensure that the installer or archived package has not been tampered with.

  8. Citizen Dos

    The safest place to hide passwords is in an encrypted portion of your brain; however, passwords aren’t very effective if I can see your hands or hear you typing.

    Have you ever thought, “I typed the correct password.”, but had to re-enter it anyway?

    Do you trust your operating system vendor?

    Did you verify that there wasn’t a man-in-the-middle when you logged into your bank?

    Is that certificate authority real or already compromised by some organization?

    Just messing with your head.

  9. Citizen Dos

    If I stand between you and the person holding the file you are requesting, I can switch the files. Plus, when you ask for a MD5 checksum, I will give you what you’d like to see.

  10. Brandon

    Citizen Dos,
    +1 for the reference to “hear you typing”. Did you know MIT researchers have been able to relatively reliably figure out what keys were entered just by having computers analyze the sounds of a user typing at the keyboard? Pretty amazing stuff.

  11. Citizen Dos

    @Brandon: Yes, I do.

  12. nehumanuscrede

    The above mentioned setup makes it tough for folks to BRUTE FORCE your keys. It is trivial, especially for any government entity, to install a keylogger on the machine they’re interested in. ( Hardware or software ) Simple enough, actually, for any tech minded individual to do it. Spouse, parents, etc. included. I’m half surprised today’s keyboards don’t come with keylogger guts in it already. Would make key retrieval . . . well . . . trivial.

    At which point they simply need to sit and wait for you to access it.

    They won’t need to worry about unlocking your encryption if you are going to hand them the keys to do it with.

  13. Robert in Oregon

    I love the How-To-Geek newsletter, but this article title “How To Hide Passwords in an Encrypted Drive Even the FBI Can’t Get Into” suggests the purpose is to teach individuals how to conceal criminal conduct.

    Really? Is this the sort of idea that How-To-Geek wants to support and condone? This one was not well thought out., guys and gals.

  14. me

    Haven’t really used keepass before, but I thought it populates the password directly. Keyloggers would be useless.

  15. mmg1818

    and BitLocker Drive Encryption for what is ?

  16. kub

    And what about this /watch?v=o9cvC-xHoNk
    This will beat Google glasses

  17. Tom

    @ROBERT IN OREGON; Actually the general community at large views the FBI as an intelligence community leader. They aren’t suggesting illegal activity, merely showing us a method for hiding things from prying eyes. I use TrueCrypt to store data files from clients when I have to transport them from one physical location to another and there is no secure connection that I feel comfortable with. Not even SFTP is 100% secure. This is something that I wish people at the Social Security Administration, Mastercard, and so on would learn to do. None of my client’s data is illegal, but they still have a right to privacy.

  18. Anonymous

    It’s nice to have encryption, but I find it a bit over-rated. I find that keeping passwords written down and in a good quality safe is just about as secure. Keeping passwords (unencrypted) on a thumb drive, CD/DVD or even a floppy and putting that in the safe also works. But if it’s all written down, not even a nuclear EMP can wipe it out. And if you somehow become incapacitated then someone else (who you hopefully trust) can also get to the contents and act on your behalf. And if you really want to get crafty you can even encrypt those written down passwords with a cypher! No high tech anything required.

    So if you don’t think you need a safe, think again! You may not need something up to Fort Knox standards but you probably should have something that can withstand fire/flood damage. I’m sure everyone has sensitive papers like birth certificates, passports, car titles, property deeds, social security cards, etc. they want to keep. You just can’t digitize that stuff. And if you don’t put it in a safe somewhere then you probably just have it all laying around, exposed (likely in/on your desk or briefcase) and not protected. Even if you do have those things in a safe deposit box at a bank somewhere (and good for you if you do), you probably still want to have copies! (BTW, I also recommend having copies of your credit cards and anything else you carry around in your wallet.) Therefore, get yourself a fire/flood safe or even a fire box that you can hide. And put your passwords in there as well.

    Lastly, before I forget, make sure to bolt your safe to a good hard surface and lock it up when you’re not around. There’s no point in any of this if you don’t lock it up and bolt it down (or at least hide it somewhere other than the most obvious place like a closet). Something like a concrete floor would be best. Cause remember, if you can open it (cause it’s not locked) or move it then so can a burglar! So make sure any potential burglar can’t just open it up or walk off with your entire safe – or cut it out of your wall. Make sure it’s bolted to a good immoveable surface that won’t burn and be sure it’s bolted in a way that won’t easily let water get in (hint: use caulking. You might also want to check your safe’s “fire rating” to be sure you get a good one too.)

  19. John

    @ROBERT IN OREGON: The more rights to invade our privacy that law enforcement gets, the more we will like to protect it. This is a natural reaction from people.
    Reason for this will also become more clear as to the fact that if I, by honest mistake, do something doubtful and is taken to court, then with today’s surveillance of, all people, they will look at not relevant things to make my persons moral doubtful, instead of only focus on the action I am charge for.

    Let’s say that my honest mistake of action actually is a crime. I even admit it.
    The next thing will be to decide the punishment. Then, because of all extra data from today’s surveillance, the court will look at my other activity’s and judge different depending on those.
    Perhaps the judge is very much against abortion. Well, perhaps I am not and also actively support the women’s right for abortion.
    As the judge is a human being, he will dislike me more because of this and the punishment will be slightly harder. The more things we this agree on, the harder punishment I will get. The prosecutor will bring up things like this. There will be other things as well that I as a human being has my right to have my own opinion about, that might not be legal today. Only opinion. Lets say I think marijuana should be a legal drug, like alcohol. Well as my opinion will be brought up, even then is it not relevant, then the court will dislike me more and more because of different view of life.
    This is of course not relevant for the actually crime that I committed, by honest mistake, and admitted that I have done.

    This is a very real reason to protect your privacy as much as you can.

  20. UltimatePSV

    Now all we need to do is make sure no one hits us with a $5 wrench, a la xkcd.

  21. KD

    Not to nitpick but isn’t the KGB gone?

  22. keltari

    The government absolutely can decrypt TrueCrypt and other publicly available encryption tools. Whether or not they want to bother committing the resources is the question. They get around the resource issue by accessing your computers while they are on and they data decrypted and accessible by the system.

  23. Kevalin

    “Not to nitpick but isn’t the KGB gone?”

    Well, that’s optimistic. Only the letters have changed. I fear the nature of humans is such that there will always be some version of the “KGB” out there, nosing into business that really isn’t theirs for the sake of “National Security.”

    Worse, the definition of “National Security” will always change, based on who’s in power. Today, you’re cool… tomorrow, you’re the enemy.

  24. rob

    KGB? So quaint>.

  25. Jason

    I have to agree with Robert in Oregon on this one. In the third paragraph you say:

    “you can read up on Operation Satyagraha, where money launderer Daniel Dantas has successfully encrypted his data and kept the FBI at bay for as long as a year with the very tools we’re going to use today.”

    Are you celebrating the fact that a thief is “successfully” using TrueCrypt to avoid criminal prosecution? Who do you think bears the consequences of criminal activity like money laundering? Honest, law abiding people end up paying the bill (both figuratively and literally) and it’s the job of the police to investigate these crimes and put these people in jail where they belong. Whose side are you on anyway?

    We don’t need encryption to safeguard our information from the police, but rather from criminals like the one you seem to admire so much. The average citizen in the US and Canada should be a lot more concerned about organized crime groups and terrorists than about the police.

    Privacy is a legitimate concern for ordinary citizens in our digital world, but it is all too often used as a shield behind which thieves, pedophiles and other criminals can hide behind.

  26. Skeptic

    And if you opened that in Linux, what would happen :P

  27. GeekE

    Just in case you didn’t think breaking encryptions was a serious issue in the us:


  28. Edward

    Go TF2!

  29. Henry

    That’s what they want you to think…

  30. Peter H

    As I’ve said for years and have yet to have it disproven: Living is Dangerous to Your Health.
    I’d also like to add this: If You’ve Survived Thus Far, You Are Going to Die.

    Just a little reminder nothing in life is certain. But we all have to live it before we die.

  31. anonymous

    So its just an AES encrypter?

  32. Anonymous

    @ John

    Could you maybe not drink or read the Bible before posting? Think about your first sentences for a minute:

    The more rights to invade our privacy that law enforcement gets, the more we will like to protect it. This is a natural reaction from people.

    I get what you’re trying to say. I may have a slight issue with it, but it sounds like you’re trying to compose a legal document or possibly try and preach.

    That said, let me correct one other thing you seem to be mistaken about: law enforcement has no “rights”. We The People do! If anything, law enforcement has a duty to protect the people and the Constitution.

    And if you think it’s a natural reaction for a population to resist an increase in legal authority you may again be right. But there’s almost always a very good reason. Cause when any government body is granted immunity from the very same laws they are sworn to protect/enforce – such as the 4th Amendment to the Constitution (which has to do with search and seizure) – the whole thing becomes a sham if allowed to continue.

    I may also agree with your other opinions where we should all have the freedom to make our own choices, but you make it very hard to read.

  33. Anonymous

    Whoops! Sorry about the hair trigger on the “Submit Comment” button.

    I wanted to go on to say that encrypting documents has very little to do with legal rights or having to submit to unreasonable search and seizure.

    The whole point in this article and comment thread is to keep your sensitive information safe from prying eyes. Encryption is one good way at doing that. Writing it down and locking it up is another good way. Combine the two methods and your high school combination locker is almost never going to get cracked. That is, unless you’re the high school Principal! (But that’s another topic.)

  34. johny boy

    run meterpreter in the back

  35. Edweird


    I generally agree with your safe comments, but to do it right you need a data safe. These cost a bit more than the generic hardware store fire safes but do a better job protecting your media. For example, the maximum internal temperature for a data safe is 125F (52ºC) vs 350F (177ºC) for a plain fire safe.

    Depending on your needs, the increased cost for the better safe is fairly reasonable. A quick web search shows a Sentry Safe F2300 Waterproof Fire Chest with a 1/2 hour rating for $70.06 (retail’s about $103) at Larger sizes and longer ratings cost more. If you want something that can be bolted down you’ll also need to pay more (or keep it in a secure area/cage). Also, note that the 1/2 hour rating is based on a fire sweeping through a structure, not an extended inferno.

    As a person who doesn’t have a lot of expensive items, it’s debatable how secure I want to make my installation. The only things of value in my safe are only valuable to me (legal documents, backups of my genealogy data, etc.). Unfortunately, anyone stealing it wouldn’t know that until they cracked it open someplace else. In this situation they probably wouldn’t be too keen on returning it. Thus, I’m in a position that I have to secure it even though it has no real value.

    After the rash of tornadoes we’ve had the last few years (HSV, AL), I think it’s probably a good idea to write your name, address and telephone number on the outside and inside (in case fire burns the outside) of your safe in indelible ink (tags can get torn off). If found in the debris of the aftermath, it will be easier to return it to you, hopefully still locked.

  36. rajtheeban

    “How To Hide Passwords in an Encrypted Drive Even the FBI Can’t Get Into”

    Completely agree with Robert
    I’m completely chocked by the intentions of this new’s author and by the way the article was writed
    There is no point in opposing systematically geek occupation and FBI work, once again
    society without liberty is tyranny
    but society without security is jungle: I think FBI should have the righ to get even private information in dangerous case (kidnapping, terrorism etc)
    Too much liberty kills liberty

  37. Covertoperator

    @KB: Actually they are alive and thriving and lease offiices in the White House, Harvard University, and of course, the IRS. (Most of them are employed during peak tax seasons part time by the IRS).

  38. Ken

    If the FBI say that there having problems, 99.9% they already have what they want and are now checking to see all the others that can be netted. The fact that they would even say something like “problems” should make you think. Takes time to build a case or wipe someone from this earth. Format C: / ;)

  39. rubberfins

    In a word no! The KGB is gone but there are others with different acronyms that are just as bad if not worse.

  40. KGBalive

    @KD – KGB gone? Are you kidding? What do you think “Department of Homeland Security”stands for? Exactly the same as KGB in Russian (they called it Komitet Gosudarstvennoy Bezopasnosti, “Committee of Homeland Secuiry”, big difference!)

  41. Luc Schots

    If you want a view of what might happen when basic rights are invaded, check out Cory Doctorow”s ‘Little Brother’

  42. Brian Grove

    ONE MISTAKE in this page.
    You do NOT need to find a junk file to use to make your encrypted hidden volume. Once you’ve selected the right directory you can simply type in a filename which doesn’t exist. Truecrypt will then make a hidden volume using that filename.
    I have done this quite a bit in the last few weeks on my new portable hard drive

More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!